23 March 2019

Aus ADF/ MHFCS FSK 600Bd/850 with KW-46 encryption


Quite good FSK 600Bd/850 signal centered on 10405 KHz from Australian Defence Force (ADF/MHFCS), heard some days ago around 1630z using iw2nke KiwiSDR (center Italy). As reported in UDXF logs by Eddy Waters [1] [2], Australian Defence Force has changed the previous dual channel system (ISB) to two single channel with 4 KHz spacings: the lower of the 2 frequencies has a speed of 600 baud, while the higher is 50 baud. The shift in both cases is 850 Hz. As in the waterfall above, I did not hear the 50bd FSK signal 4 KHz above (i.e. on 10409 KHz): maybe it's missing? Eddy also logged 10405 KHz frequency reporting ADF MHFCS Humpty Doo as location of the Tx.

Fig. 1 - main parameters
After arranged the demodulated stream into a 7-bit format, it's possible to detect the presence of the sequence called "Fibonacci bits" originated by the polynomial x^31+x^3+1 and which reveals the use of KW-46 crypto device (Fig. 2) as per STANAG-5065 Annex-A.
Fig. 2 - 7-bit frame delimited by KW-46 sync bit
As reported here, the lower signal in ISB mode was called "Rockwell CPU100", don't know if such nickname is still valid.

Humpty  Doo  Transmitting  Station  is  situated  on  an  almost  800 hectare parcel of land near Middle Point and is located approximately 50 kilometres east/ south east of Darwin. Run and point google Earth to 12°36'39"S   131°17'28"E.

Fig. 3 - Humpty  Doo  Transmitting  Station


26th March, update

ADF/MHFCS paradigm (signal recorded by my friend ANgazu, credits to SWLOI33 Jakarta, KiwiSDR owner). As you see, the spacing between the signals matches the expected 4 KHz. The FSK 50Bd too uses the KW-46 crypto device.


15 March 2019

Harris WB operations and UK MoD XMPP over HF: interesting confirmations

Reading the Harris and Isode-Babcock presentations at the recent HFIA Meeting in San Diego, CA (February 14, 2019) I had an interesting feedbacks which could confirm the guess I did about:
1) new wideband HF waveforms tested by Harris (the analysis is posted here)
2) XMPP chat over HF by UK MoD (the analysis is posted here).

1) In the Harris presentation "Summary of Harris on-air testing of WBHF systems 2010-2018" you can read that since 2015 Harris began development of a WBHF Hybrid Automatic Repeat Request (ARQ) waveform for use on HF (WHARQ). It supports 3, 6, 9, 12, 15, 18, 21, 24 kHz. WHARQ is bundled in a new radio mode called 3G Wideband IP (3GWBIP) which has been tested extensively on the bench and over the air. On-air 3GWBIP testing took place on november-december 2018 using NVIS link and 150 Watt power.

As posted here, me and some friend of mine saw 3-24 Khz bandwith waveforms with modulations from PSK-8 to QAM-64 and data rates from 75 to 120,000 bps. Although the characteristics such as BWs, modulations and speeds are the same as those indicated in Appendix D of MIL-STD 188-110D (WBHF), these adaptive waveforms definitely do not belong to that standard. 
Maybe we just hear those WHARQ/3GWBIP waveforms?

2) in the Isode-Babcock presentation "UK Mod XMPP over HF Pilot" you find that UK MoD Funded Babcock to run an XMPP over HF trial using Isode XMPP Software. “Group Chat” provided by XMPP Multi-User Chat (MUC) is the core service Highly desirable to use Real Time Chat for Naval and Airborne communication when HF is the only available bearer. In the paper they presentred the trials run to evaluate viability of providing this service over STANAG 5066 ARQ.

Well, I'm happy to see that this paper matches the results posted here

13 March 2019

use of uuencode for email attachments (Swiss-Mil)

This post is an update, mostly a deepening, of the posts published here and here with regards to the way of sending email used by Swiss-Mil. The idea came from a hint from my friend Mike "mco", whom I thank here.

When files, especially email attachments, are transmitted over links that do not support other than simple ASCII data, non-printable characters (for example, control characters) might be interpreted as commands, telling the network to do something. In general, therefore, it is not safe to transmit a file if it contains such characters. UUEncode (Unix to Unix Encoding) is a symmetric encryption based on conversion of binary data (split into 6-bit blocks) into 65 ASCII printable characters (from 32 to 96) and is just used to transmit binary files. 
A message encrypted by uuencode is easily identifiable: it begins with the line 
begin <mode> <name> 
where <mode> is the value of the access rights to the Unix file and <name> is the name of the file that will be created at decoding; the message ends with a line containing only "end". 
An example of the use of uuencode can be seen by analyzing some Swiss-Mil transmissions.
Figure 1 shows the data from a transmission, recorded on 09187.0 KHz/usb, as they appear after the removal of 188-110A overhead (the HF waveform) and the FED-1052 App.B DLP encapsulation (the Data Link protocol).
Fig. 1 - email inline attachment sent using UUEncode

Some data of the email are in clear text, in this sample:
ZJ1 root@bfzj1f1.is.bf.intra2.admin.ch, ZJ1 sender
ZA1 statist@bf.intra2.admin.ch, ZA1 recipient
email ID: "stat-ZJ1-20181113135501" (2018.11.13, time: 135501)

The contents are encrypetd using the "IDEA" algorithm (1) [1]:
EncryptionMode=CFB64, Cipher feedback (CFB) mode using 64-bit blocks
InitialVector=10A2B70A51AACF17, 128-bit initialization vector (Message Indicator, MI)

The email attachment consists of the (encrypted) block between the lines:
begin 666 /tmp/CFB640250215BEAD7EF13EFAE90.dat

that clearly indicate that uuencoding is being used. More precisely, at receive side will create a file named CFB640250215BEAD7EF13EFAE90.dat with access rights 666 in /tmp directory. 

Since in all my samples the uuencoded filenames start with the cipher feedback mode CFB64 (see here) I tend to think that those files are first encrypted using IDEA algorithm then encoded by uuencode, according to the layers shown in Fig. 2.

Fig. 2
As ending note, it's interesting to notice that this method of message formatting is suggested for any email client or gateway that does not  support MIME and that long before the MIME format  there was just UUEncode. Maybe do they use old not-MIME Unix systems? Do they need to be compatible in all their networks?

(1) IDEA algorithm is developed at ETH in Zurich, Switzerland, and its patents are heald by the Swiss company Ascom-Tech AG. In year 2008 Ascom Security Solutions has been commissioned by Armasuisse (Federal Office for Defence Procurement agency for armaments of Switzerland) to deliver telecommunications equipment as part of the 2007 Armaments Programme.

[1] https://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm

2 March 2019

STANAG-5030/MIL-188-140 VLF/LF multichannel broadcast to submarines (2)

(this is a follow-up of the post published here)

The narrow 200Hz bandwidth for VLF/LF submarine broadcast and the low efficiency of the aerials are limiting factors, but the use of MSK (a form of QPSK) can allow optimum use of that narrow bandwidth. Indeed, using MSK it is possible to transmit two 100 Baud channels X and Y, each on a pair of phase, and each channel can consists of 2x50 Baud multiplexed channels. Thus, MSK can provide a TDM multi-channel broadcast of  up to 4x50 Baud within the 200Hz assigned band. These transmissions are easy to hear, either locally or, better, using remote SDRs such as the ones provided by Kiwi and thanks to the MSK demodulator coded by my friend Christoph [1] it is possible to study the bitstreams and verify their characteristics. 
The vast majority of users transmit four VALLOR channels (X1, X2, Y1, Y2), i.e. four 50 Baud channels which use KW-46 encryption system. In each channel, data are arrangend in the format defined by STANAG-5065 in which frames are delimited by the pseudo-random sequence generated by the polynomial x^31+x^3+1 ("Fibonacci bits"). Error Correction And Detection (EDAC) is performed using Wagner coding.

One of the examples of four VALLOR broadcast is the DHO38 station (Fig. 1): a VLF transmitter on 24.3 KHz used by the German Navy to transmit orders to submarines and navies of Germany and other NATO countries. Figure 2 shows the four X1, X2, Y1, and Y2 14-bit streams: the marked columns are the Fibonacci bits.

Fig. 1 - DHO38 constellation
Fig. 1 - the four VALLOR streams from DHO38

The most interesting subComm station is FUE French-Ny on 65.8 KHz from Kerlouan.

Fig. 3 - FUE constellation
As shown in Fig. 4, X1 and X2 channels use the same format of the French-Ny FSK 50/850 broadcast [2]. That format exhibits a characteristic 21-bit frame and, in a way similar to STANAG-5065, two/three sub-frames which are delimited by the bits of two LFSR markers M1 and M2 and a logical "1" value bit (1-bit). The sequences for the two markers are generated by the polynomials x^6+x^5+1 and x^7+x^6+1.
The other two channels Y1 and Y2 are sent using the S5030 VALLOR format (14-bit frames, KW-46 and Wagner coding).

Fig. 4 - the four streams from FUE
Don't know if it is their normal way to operate or it's just a coincidence, perhaps they use two channels for the shore-to-sub VALLOR boadcasts (Y1 Y2) while the other twos (X1 X2) are connected to the shore-to-ship broadcast, who knows?

[1] https://github.com/hcab14/signal-analysis/blob/master/m/demod_msk.m 
[2] http://i56578-swl.blogspot.com/2015/06/french-navy-broadcast-fsk-50bd850.html 

18 February 2019

unid signals from US KiwiSDRs
by ANgazu & Rapidbit

This signal was recorded tuning 5308 Khz and using some KiwiSDRs from the northeast of the US, mainly the one owened by K3FEF in Milford (PA). Since its various operating modes and its uncommon parameters, we decided to study it a little more thoroughly, leaving out the transmission purposes and the hypothetical users. The duty cycle of the signal is quite low so it took several hours of recording to collect signals suitable to be analyzed.

In the spectrogram of a recording we can see the bandwidth of the modes (Fig. 1). When several consecutive segments are transmitted, the separation between them is about 3m30s and the duration of the segments ranges between 94 and 106 seconds.

Fig. 1

mode 1
This mode has a spectral occupation of one 1000 Hz. The modulation is QPSK although with a notable majority of the symbols 0 and 2 and a speed of 600 Baud (Fig. 2). The ACF can be 840ms or 800ms and does not seem to transmit information, but seems  to be idling. After demodulation, bits aligned in frames of 1008 bits for ACF of 840 ms and 960 bits for ACF of 800 ms (Fig. 3).

Fig. 2
Fig. 3
mode 2
Its spectral occupation is about 1600 Hz. The modulation is QPSK with the same structure of mode 1, with a speed of 1200 Baud and an ACF of 420ms or 400ms. Also this mode exhbits a 1008 bits (960) frame with a very similar structure (Fig. 4).


mode 3
The modulation speed is 1200 Baud with a spectral occupancy of about 1400Hz. It is a GFSK with a shift of about 800 Hz andACF of 840ms or 800ms. The binary frame has a 1008 or 960 bits length (Fig. 5).

mode 4
The modulation speed is 300 Baud with a spectral occupancy of about 600 Hz. The modulation is an FSK with a shift of 400 Hz and an ACF of 3.35  or 3.2 seconds. Once demodulated, the frame is still 1008 bits or 960 bits just like the previous ones (Fig. 6).

Fig. 6

7 February 2019

odd signals picked-up using the Arctic KiwiSDR

7600 Hz wideband signals from (only!) Kiwi ArcticSDR and using single tone QAM-64 modulation at a symbol rate of 7200Bd. The signals seem to have specular positions of a "supposed" reference/pilot tone. Most likely, the signals "leak" out of wired high-voltage lines (PLC) running close the Bjarne's KiwiSDR.


31 January 2019

8-ary constellation bursts at 12800bps data rate (3)

This is a follow-up of the posts about the "clusters" of S4539 12800bps bursts, all posts including this one are grouped here.
Since a couple of days it's possible to hear both the peers, don't know if it's due to new test sites or increased powers but previously the "called" station was not heard (or maybe it did not even exist). As you see, the "called" listens on f2 while it simultaneously replies on f1 (the same for f2/f3 and in all the six clusters) as well as the "caller" station puts its call on f2 while it simultaneously listens on f1 (Fig. 1); the interval between the call and the reply is about 319 ms. Maybe they use staring and synched SDRs?

Fig. 1
This simultaneity is also noted between the lower frequency of a cluster and the higher frequency of the preceding one, as shown in Fig. 2. Particularly, Figure 3 shows the timings between the last and the first cluster (the different signal strengths in Fig. 3 depend on the different locations of the two used KiwiSDRs).

Fig. 2 - timings between two consecutive clusters
Fig. 3 - timings between the last and the first cluster
The raw demodulation exhibits strong 7680-bit period that make 1280 QAM64 symbols (Fig. 4).

Fig. 4

23 January 2019

wideband operations on 4950 KHz, new Harris wideband HF waveforms

since few weeks me and my friend and colleague ANgazu are studying interesting wideband waveforms family spotted on 4950 KHz (central frequency), just in the middle of the 60 mt Broadcast band, these transmissions have been also reported here by our friend KarapuZ from radioscanner.  Monitoring was done thanks the KiwiSDR owned by WA2ZKD that can provide up to 20KHz IQ band http://rx.jimlill.com:8073/.

As shown in Fig. 1, they use Harris WB-ALE paradigm for call and link negotiation:
- STANAG-4538 FLSU initial call for link setup
- spectrum sensing to measure interference within the selected wideband channel
- new burst handshake exchanges spectrum sense measurements
- data exchange
- STANAG-4538 FLSU for link term

Fig. 1
The Harris wideband ALE approach and the 3G extensions for wideband have been previously discussed in this post.  

For what concerns tha data waveforms, we saw bandwiths from 3-24 Khz and modulations from PSK-8 to QAM-64 with a data rate from 75 to 120,000 bps.
Each transmission begins with a transmit level control (TLC) block to allow radio transmit gain control (TGC), transmitter automatic level control (ALC), and receiver automatic gain control (AGC) loops to settle before the actual preamble is sent/received. A variable length preamble for reliable synchronization and autobauding follows the TLC section and it's followed by ariable length frames of alternating data (unknown) and mini-probes (known) symbols: times vary depending on the combinations of speed and modulation.
Although the characteristics such as BWs, modulations and speeds are the same as those indicated in Appendix D of MIL-STD 188-110D (WBHF), these adaptive waveforms definitely do not belong to that standard. Indeed, as shown in the following figures (2-5), the waveforms exhibit a common structure consisting of a super frame which is formed of 8 frames probably related to the 8 different allowable bandwidths: a similar structure and the duration of the frames (i.e., the number of K and U symbols) are quite different from what is stated in the Appendix D.

Fig. 2 - 4800Bd/6KHz waveform
Fig. 3 - 7200Bd/9KHz waveform
Fig. 4 - 9600Bd/12KHz waveform
Fig. 5 - 16800Bd/18KHz waveform

The frames structures have been verified also by analyzing some streams after the demodulation of the signals: in figure 6 the result of the demodulation of a 9600Bd/12KHz chunk (in this case using PSK-8 modulation):

Fig. 6
When measuring  the symbole rate using the quadrature detector, an interesting pattern shows up: a repetitive 8 blocks group which are generated by miniprobes. Up to date, we know the "frequency" in these blocks is different for every speed, starting in lower freq and going upwards. In some modes a mirror image can be seen as in Fig. 7. This is an odd feature since it looks like miniprobes are not phase modulated as data are.

Fig. 7
The 8 different minprobes repeat in a particular series and are complicated to study, their structure point to a sequence (maybe using Walsh modulation?) that repeats 4 times: this pattern seems to be the same in all waveforms varying frequency/duration.
Fig. 8
We have other examples of such miniprobes but we prefer to postpone to a next post, if possible with more precise details. For this purpose, ANgazu and I would like to have some other better recordings (i.e., with IQ band > 20KHz) from friends in US so that we can gather more informations. Thanks!


9 January 2019

unid 1200Bd (G)FSK bursts recorded in Japan

This signal was recorded at different periods using some the KiwiSDRs located in Japan ( http://kiwisdr-jp7fso.ddns.net:8073), it was observed, at least, in three frequencies: 4765, 4626 and 4584 KHz. During night-time good results are also obtained with the KiwiSDR at Irkutsk (Russia), so the origin of the signal seems to be Japan or surroundings. 
My spanish friends ANgazu and Rapidbit (from radiofrecuencias group) did a brief analysis measuring the speed (1200Bd) and the shift between tones (825-890 KHz) and suggesting the GFSK mode (Fig. 1). On my behalf, I veried their measurements and verified that the bursts are 26 secs spaced and carry the same (encrypted?) text sent in async 8N1 mode (Fig. 2), although there are some difference among old recordings and new ones. The stream obtained after removal the start/stop bits does not offer useful information (encryption? not-standard 8-bit alphabet?), same results after descrambled the stream using the polynomial x^3+x^2+x+1. 

Fig. 1
Fig. 2
Maybe some kind of beacon? We thinked that a reference could help others to record and study the signal.

1 January 2019

last logs of 2018

04833.5: ---: Unid, prob. UK MoD 2114 USB MIL 188-110A serial tone waveform, testing XMPP multi-user chat over HF using STANAG-5066 RCOP protocol. Also logged on 4381.0 Khz. (07Dec18) (AAI)
05290.0: TN5: "ZaSKIS" Base for Stationary Communication and Information Systems SVK-Mil Trencin, SVK 1337 USB MIL 188-141A 2G-ALE, handshake PO2 "VKPRESOV" Presov, STANAG-4285 waveform, FTP transfer of GZIP copressed email & files via STANAG 5066 using HBFTP client (12Dec18) (AAI)
05390.8: HWK01: Swedish Mil, S 1334 USB 3G-HF 1-way FLSU, circuit service mode using MIL 188-110A serial tone waveform, sending wrapped data via STANAG-5066 UDOP client (20Dec18) (AAI)
05787.0: CAMP: Unid 1444 USB MIL 188-141A 2G-ALE, calling all stations, MIL 188-110A serial tone waveform, 5x128-bit MI (10Dec18) (AAI)
06395.0: BS3101: Unid 1427 USB MIL 188-141 2G-ALE, handshake BS3501, no continuation (21Nov18) (AAI)
06796.0: TZSO4: Unid 1003 USB MIL 188-141 2G-ALE, sounding (10Nov18) (AAI)
07572.0: PEGASO: Spanish-AF EVA (Escuadrón Vigilancia Aérea) Torrejón de Ardoz, S 0845 USB aily radio-checks with EVA's stations (KANSAS, ORION, EMBARGO, DAGON, PRIMUS,POLAR,...) (26Nov18) (AAI)
07600.0: FN01: Algerian-Mil, ALG 0834 USB MIL 188-141 2G-ALE, handshake FN02, MIL 188-110A serial tone waveform (26Nov18) (AAI)
07641.0: TXFA5: Guardia Cuvil, E 1057 USB MIL 188-141 2G-ALE, calling TWLL1 (also heard callings to TWLN1, TWVB1, TWVO1) (20Dec18) (AAI)
07840.0: SWA: Unid 0949 USB MIL 188-141 2G-ALE, calling SRX (30Nov18) (AAI)
07840.0: SWA: Unid 0954 USB MIL 188-141 2G-ALE, calling HY8 (30Nov18) (AAI)
07840.0: SWA: Unid 1001 USB MIL 188-141 2G-ALE, calling 8CQ (30Nov18) (AAI)
07841.0: DA09: Unid 0745 USB MIL 188-141 2G-ALE calling DA01 (02Nov18) (AAI)
07922.0: ---: Unid 0944 USB STANAG-4286 600bps/L, sending KG-84 encripted data (16Nov18) (AAI)
07975.0: ---: Unid 0840 (CF) MFSK-11 125Bd/250 792ms ACF, lasting ~47s. Also heard at 0915 (07Nov18) (AAI)
08086.0: JU10: Algerian-Mil, ALG 1413 USB MIL 188-141 2G-ALE, calling NX1 (17Dec18) (AAI)
08146.0: AGH: Iraqi Emergency Response Forces, IRQ  1431 USB MIL 188-141 2G-ALE sounding (08Nov18) (AAI)
08167.0: ---: Unid 1230 USB STANAG-4285 600bps/S, async 5N1.5 (ITA2) transfer, encrypted data (18Dec18) (AAI)
08170.0: ---: UK DHFCS, Cyprus 1730 USB STANAG-4285 2400bps/L bursts, 1536-bit TDM protocol (15Dec18) (AAI)
08327.0: ---: Unid 0852 USB 3G-HF 2-way FLSU handshake, HDL+ transfer (26Nov18) (AAI)
08408.0: Unid 0939 (CF) FSK 75Bd/200 continuous encrypted bcast, TDoA runs point to south-west Med sea. Also heard on 10182.0 (CF) (02Nov18) (AAI)
08630.0: HY8: Unid (Algerian-Af?) 0930 USB MIL 188-141A 2G-ALE calling SRB (12Dec18) (AAI)
08770.0: Unid 1500 USB STANAG-4197 ANDVT system (02Nov18) (AAI)
09000.0: KML: Unid 0856 USB MIL 188-141 2G-ALE, calling MAN (03Dec18) (AAI)
09000.0: MAN: Unid 0859 USB MIL 188-141 2G-ALE, calling KML (03Dec18) (AAI)
09019.0: XSS: DHFCS, UK 1509 USB MIL 188-141 2G-ALE sending wx METARs & TAFs via AMD to UKE303 AWACS for RAF airports Waddington (EGXW) e Brize Norton (EGVN)(08Nov18) (AAI)
09065.0: Russian /Mil/Gov 0832 (CF) FSK 100Bd/500, T-207 encryption (02Nov18) (AAI)
09105.0: ---: Unid (US-Mil?) 1240 USB MIL 188-110A serial, IP-over-HF via STANAG-5066 RCOP, 1380 bytes IP packets from to ESP (IPSec) secure protocol used. STANAG-5066 Addresses ( belong to US-DoD (07Nov18) (AAI)
09187.0: ZJ1: Swiss Army, CH 1357 USB MIL 188-141A 2G-ALE handshake ZA1 using Linking Protection, MIL 188-110A serial tone waveform, sending email via FED-1052 App.B, encrypted ASCII-7 data using CFB64 "IDEA" algorithm (12Nov18) (AAI)
09299.0: DA10: Unid 1151 USB MIL 188-141 2G-ALE calling DA01 (08Nov18) (AAI)
09920.0: DA09: Unid 1400 USB MIL 188-141 2G-ALE calling DA01 (05Nov18) (AAI)
10790.0: ---: Russian Mil/Gov 1110 USB CIS-79 "TANDEME", OFDM 79-tone QAM-64 30.5Bd 37.5Hz, PSK-2 special/control symbol each 3 tones (11Dec18) (AAI)
11029.0: DA03: Unid 1100 USB MIL 188-141 2G-ALE calling DA01 (03Nov18) (AAI)
11371.4: HBLZDRD1: Roumenian-Mil, ROU 0801 USB MIL 188-141 2G-ALE calling HFJCDRD1 (02Nov18) (AAI)
11371.4: HBLZDRzZM: Roumenian-Mil, ROU 0810 USB MIL 188-141 2G-ALE calling HFJCDRzZM (02Nov18) (AAI)
12062.0: HL2: Polish-Mil, POL 1050 USB MIL 188-141 2G-ALE, calling KW7 (17Nov18) (AAI)
14606.0: KA2: (KALI12) Polish KFOR unit, KSV 0915 USB MIL 188-141 2G-ALE handshake PL4 (PLATER04), MIL 188-110A serial tone waveform, sending email via STANAG-5066 using HBFTP client, compressed data using GZIP (12Nov18) (AAI)
14606.0: PL4: (PLATER04) Polish KFOR unit, KSV 1118 USB MIL 188-141 2G-ALE handshake OD8 (ODRYNA08), MIL 188-110A serial tone waveform, sending email via STANAG-5066 using HBFTP client, compressed data using GZIP (10Nov18) (AAI)